feat(identity): 增加统一认证管理接口

提供接入码配对、配置查询、本地策略修改、验证、激活、回滚、禁用和公开运行时状态接口。写操作强制 Idempotency-Key 与 If-Match,后台 Exchange 支持重启恢复和过期收敛,并记录脱敏 Trace 与审计。\n\n验证:go test 相关 identity、store、identityruntime、httpapi 包;go vet ./apps/api/...
This commit is contained in:
chengcheng 2026-07-17 12:10:44 +08:00
parent a9e23cb237
commit 1fce3a535d
10 changed files with 767 additions and 33 deletions

View File

@ -0,0 +1,491 @@
package httpapi
import (
"crypto/sha256"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"strconv"
"strings"
"sync"
"time"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/auth"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/identity"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/store"
)
type identityConfigurationView struct {
Active *identity.Revision `json:"active"`
Draft *identity.Revision `json:"draft"`
Previous *identity.Revision `json:"previous"`
Pairing *identity.PairingExchange `json:"pairing,omitempty"`
Runtime identityRuntimeStatus `json:"runtime"`
}
type identityRuntimeStatus struct {
Enabled bool `json:"enabled"`
RevisionID string `json:"revisionId,omitempty"`
Login string `json:"login"`
JIT string `json:"jit"`
TokenIntrospection string `json:"tokenIntrospection"`
SessionRevocation string `json:"sessionRevocation"`
LastTraceID string `json:"lastTraceId,omitempty"`
LastAuditID string `json:"lastAuditId,omitempty"`
LastErrorCategory string `json:"lastErrorCategory,omitempty"`
}
type publicIdentityConfiguration struct {
Enabled bool `json:"enabled"`
OIDCLogin bool `json:"oidcLogin"`
LoginURL string `json:"loginUrl,omitempty"`
LogoutURL string `json:"logoutUrl,omitempty"`
Status string `json:"status"`
}
type identityPolicyPatch struct {
LocalTenantKey *string `json:"localTenantKey"`
RolePrefix *string `json:"rolePrefix"`
JITEnabled *bool `json:"jitEnabled"`
LegacyJWTEnabled *bool `json:"legacyJwtEnabled"`
SessionIdleSeconds *int `json:"sessionIdleSeconds"`
SessionAbsoluteSeconds *int `json:"sessionAbsoluteSeconds"`
SessionRefreshSeconds *int `json:"sessionRefreshSeconds"`
}
type storedIdentityResponse struct {
Status int `json:"status"`
Body json.RawMessage `json:"body"`
ETag string `json:"etag,omitempty"`
AuditID string `json:"auditId,omitempty"`
}
type identityWriteOperation struct {
operation, key, requestHash string
release func()
once sync.Once
}
func (operation *identityWriteOperation) close() {
if operation != nil {
operation.once.Do(operation.release)
}
}
func (s *Server) getPublicIdentityConfiguration(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Cache-Control", "no-store")
runtime := s.currentIdentityRuntime()
if runtime == nil || runtime.Revision.State != identity.RevisionActive {
writeJSON(w, http.StatusOK, publicIdentityConfiguration{Status: "disabled"})
return
}
view := publicIdentityConfiguration{Enabled: true, Status: "active"}
if oidcRuntimeReady(runtime) {
view.OIDCLogin = true
view.LoginURL = "/api/v1/auth/oidc/login"
view.LogoutURL = "/api/v1/auth/oidc/logout"
}
writeJSON(w, http.StatusOK, view)
}
func (s *Server) getIdentityConfiguration(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", "no-store")
view := identityConfigurationView{Runtime: s.identityRuntimeStatus(r)}
if revision, err := s.store.ActiveIdentityConfigurationRevision(r.Context()); err == nil {
view.Active = &revision
} else if !errors.Is(err, identity.ErrRevisionNotFound) {
writeError(w, http.StatusServiceUnavailable, "统一认证配置暂时不可用", "IDENTITY_CONFIGURATION_UNAVAILABLE")
return
}
if revision, err := s.store.LatestInactiveIdentityConfigurationRevision(r.Context()); err == nil {
view.Draft = &revision
if pairing, pairingErr := s.store.IdentityPairingExchangeForRevision(r.Context(), revision.ID); pairingErr == nil {
view.Pairing = &pairing
}
} else if !errors.Is(err, identity.ErrRevisionNotFound) {
writeError(w, http.StatusServiceUnavailable, "统一认证草稿暂时不可用", "IDENTITY_CONFIGURATION_UNAVAILABLE")
return
}
if revision, err := s.store.LatestSupersededIdentityConfigurationRevision(r.Context()); err == nil {
view.Previous = &revision
} else if !errors.Is(err, identity.ErrRevisionNotFound) {
writeError(w, http.StatusServiceUnavailable, "统一认证历史版本暂时不可用", "IDENTITY_CONFIGURATION_UNAVAILABLE")
return
}
writeJSON(w, http.StatusOK, view)
}
func (s *Server) startIdentityPairing(w http.ResponseWriter, r *http.Request) {
var input identity.PairingInput
if !decodeIdentityRequest(w, r, &input) {
return
}
operation, ok := s.beginIdentityWrite(w, r, "pairing.start", 0, input)
if !ok {
return
}
defer operation.close()
traceID := ensureIdentityTraceID(w, r)
pairing, err := s.identityPairing.Start(r.Context(), input, traceID)
if err != nil {
s.writeIdentityError(w, r, "pairing.start", "", traceID, err)
return
}
auditID := s.recordIdentityConfigurationAudit(r, "pairing.start", pairing.RevisionID, "accepted", traceID, "")
pairing.AuthCenterAuditID = ""
s.completeIdentityWrite(w, r, operation, http.StatusAccepted, pairing, pairing.Version, auditID)
s.startIdentityPairingWorker(pairing.ID)
}
func (s *Server) getIdentityPairing(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", "no-store")
pairing, err := s.store.IdentityPairingExchange(r.Context(), r.PathValue("pairingID"))
if err != nil {
s.writeIdentityError(w, r, "pairing.get", r.PathValue("pairingID"), ensureIdentityTraceID(w, r), err)
return
}
w.Header().Set("ETag", identityETag(pairing.Version))
writeJSON(w, http.StatusOK, pairing)
}
func (s *Server) updateIdentityDraftPolicy(w http.ResponseWriter, r *http.Request) {
var patch identityPolicyPatch
if !decodeIdentityRequest(w, r, &patch) {
return
}
expectedVersion, ok := requiredIdentityVersion(w, r)
if !ok {
return
}
operation, ok := s.beginIdentityWriteWithVersion(w, r, "revision.policy", expectedVersion, patch)
if !ok {
return
}
defer operation.close()
revision, err := s.store.IdentityConfigurationRevision(r.Context(), r.PathValue("revisionID"))
if err != nil || revision.Version != expectedVersion {
s.writeIdentityError(w, r, "revision.policy", r.PathValue("revisionID"), ensureIdentityTraceID(w, r), firstIdentityError(err, identity.ErrRevisionConflict))
return
}
policy := identity.RevisionPolicy{
LocalTenantKey: revision.LocalTenantKey, RolePrefix: revision.RolePrefix, JITEnabled: revision.JITEnabled,
LegacyJWTEnabled: revision.LegacyJWTEnabled, SessionIdleSeconds: revision.SessionIdleSeconds,
SessionAbsoluteSeconds: revision.SessionAbsoluteSeconds, SessionRefreshSeconds: revision.SessionRefreshSeconds,
}
applyIdentityPolicyPatch(&policy, patch)
updated, err := s.store.UpdateIdentityRevisionPolicy(r.Context(), revision.ID, expectedVersion, policy)
if err != nil {
s.writeIdentityError(w, r, "revision.policy", revision.ID, ensureIdentityTraceID(w, r), err)
return
}
traceID := ensureIdentityTraceID(w, r)
auditID := s.recordIdentityConfigurationAudit(r, "revision.policy", revision.ID, "success", traceID, "")
s.completeIdentityWrite(w, r, operation, http.StatusOK, updated, updated.Version, auditID)
}
func (s *Server) validateIdentityRevision(w http.ResponseWriter, r *http.Request) {
s.runIdentityRevisionAction(w, r, "revision.validate", func(expected int64, traceID, auditID string) (identity.Revision, error) {
return s.identityRuntime.Validate(r.Context(), r.PathValue("revisionID"), expected, traceID, auditID)
})
}
func (s *Server) activateIdentityRevision(w http.ResponseWriter, r *http.Request) {
s.runIdentityRevisionAction(w, r, "revision.activate", func(expected int64, traceID, auditID string) (identity.Revision, error) {
return s.identityRuntime.Activate(r.Context(), r.PathValue("revisionID"), expected, traceID, auditID)
})
}
func (s *Server) rollbackIdentityRevision(w http.ResponseWriter, r *http.Request) {
s.runIdentityRevisionAction(w, r, "revision.rollback", func(expected int64, traceID, auditID string) (identity.Revision, error) {
return s.identityRuntime.Rollback(r.Context(), r.PathValue("revisionID"), expected, traceID, auditID)
})
}
func (s *Server) disableIdentityConfiguration(w http.ResponseWriter, r *http.Request) {
expectedVersion, ok := requiredIdentityVersion(w, r)
if !ok {
return
}
operation, ok := s.beginIdentityWriteWithVersion(w, r, "revision.disable", expectedVersion, struct{}{})
if !ok {
return
}
defer operation.close()
traceID := ensureIdentityTraceID(w, r)
auditID := s.recordIdentityConfigurationAudit(r, "revision.disable", "active", "requested", traceID, "")
disabled, err := s.identityRuntime.Disable(r.Context(), expectedVersion, traceID, auditID)
if err != nil {
s.writeIdentityError(w, r, "revision.disable", "active", traceID, err)
return
}
s.completeIdentityWrite(w, r, operation, http.StatusOK, disabled, disabled.Version, auditID)
}
func (s *Server) runIdentityRevisionAction(w http.ResponseWriter, r *http.Request, action string, run func(int64, string, string) (identity.Revision, error)) {
expectedVersion, ok := requiredIdentityVersion(w, r)
if !ok {
return
}
operation, ok := s.beginIdentityWriteWithVersion(w, r, action, expectedVersion, struct{}{})
if !ok {
return
}
defer operation.close()
traceID := ensureIdentityTraceID(w, r)
auditID := s.recordIdentityConfigurationAudit(r, action, r.PathValue("revisionID"), "requested", traceID, "")
revision, err := run(expectedVersion, traceID, auditID)
if err != nil {
s.writeIdentityError(w, r, action, r.PathValue("revisionID"), traceID, err)
return
}
s.completeIdentityWrite(w, r, operation, http.StatusOK, revision, revision.Version, auditID)
}
func (s *Server) identityRuntimeStatus(r *http.Request) identityRuntimeStatus {
runtime := s.currentIdentityRuntime()
if runtime == nil {
return identityRuntimeStatus{Login: "disabled", JIT: "disabled", TokenIntrospection: "disabled", SessionRevocation: "disabled"}
}
revision := runtime.Revision
status := identityRuntimeStatus{
Enabled: true, RevisionID: revision.ID, Login: capabilityHealth(runtime.PublicClient != nil),
JIT: capabilityHealth(revision.JITEnabled), TokenIntrospection: capabilityHealth(revision.TokenIntrospection),
SessionRevocation: capabilityHealth(revision.SessionRevocation), LastTraceID: revision.LastTraceID,
LastAuditID: revision.LastAuditID, LastErrorCategory: revision.LastErrorCategory,
}
if revision.SessionRevocation && runtime.SecurityEvents != nil {
if connection, err := runtime.SecurityEvents.Get(r.Context()); err == nil && connection.LifecycleStatus != "active" {
status.SessionRevocation = connection.HealthMode
}
}
return status
}
func capabilityHealth(enabled bool) string {
if enabled {
return "healthy"
}
return "disabled"
}
func decodeIdentityRequest(w http.ResponseWriter, r *http.Request, output any) bool {
r.Body = http.MaxBytesReader(w, r.Body, 32*1024)
decoder := json.NewDecoder(r.Body)
decoder.DisallowUnknownFields()
if err := decoder.Decode(output); err != nil {
writeError(w, http.StatusBadRequest, "统一认证请求格式无效", "INVALID_REQUEST")
return false
}
if err := decoder.Decode(&struct{}{}); !errors.Is(err, io.EOF) {
writeError(w, http.StatusBadRequest, "统一认证请求格式无效", "INVALID_REQUEST")
return false
}
return true
}
func (s *Server) beginIdentityWrite(w http.ResponseWriter, r *http.Request, operation string, version int64, request any) (*identityWriteOperation, bool) {
if parsed, ok := requiredIdentityVersion(w, r); !ok || parsed != version {
if ok {
writeError(w, http.StatusPreconditionFailed, "统一认证配置版本已变化", "IDENTITY_VERSION_CONFLICT")
}
return nil, false
}
return s.beginIdentityWriteWithVersion(w, r, operation, version, request)
}
func (s *Server) beginIdentityWriteWithVersion(w http.ResponseWriter, r *http.Request, operation string, version int64, request any) (*identityWriteOperation, bool) {
key := strings.TrimSpace(r.Header.Get("Idempotency-Key"))
if key == "" || len(key) > 255 {
writeError(w, http.StatusBadRequest, "Idempotency-Key is required", "IDEMPOTENCY_KEY_REQUIRED")
return nil, false
}
encoded, _ := json.Marshal(request)
digest := sha256.Sum256(append([]byte(fmt.Sprintf("%s\x00%d\x00", operation, version)), encoded...))
requestHash := fmt.Sprintf("%x", digest[:])
s.identityManagementMu.Lock()
write := &identityWriteOperation{operation: operation, key: key, requestHash: requestHash, release: s.identityManagementMu.Unlock}
if s.store == nil {
return write, true
}
recorded, err := s.store.IdentityManagementRequest(r.Context(), operation, key)
if errors.Is(err, store.ErrIdentityManagementRequestNotFound) {
return write, true
}
if err != nil {
write.close()
writeError(w, http.StatusServiceUnavailable, "幂等状态暂时不可用", "IDENTITY_IDEMPOTENCY_UNAVAILABLE")
return nil, false
}
if recorded.RequestHash != requestHash {
write.close()
writeError(w, http.StatusConflict, "Idempotency-Key 已用于其他请求", "IDEMPOTENCY_KEY_REUSED")
return nil, false
}
var response storedIdentityResponse
if json.Unmarshal(recorded.Response, &response) != nil {
write.close()
writeError(w, http.StatusServiceUnavailable, "幂等响应暂时不可用", "IDENTITY_IDEMPOTENCY_UNAVAILABLE")
return nil, false
}
write.close()
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Idempotent-Replayed", "true")
if response.ETag != "" {
w.Header().Set("ETag", response.ETag)
}
if response.AuditID != "" {
w.Header().Set("X-Audit-Id", response.AuditID)
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(response.Status)
_, _ = w.Write(response.Body)
return nil, false
}
func (s *Server) completeIdentityWrite(w http.ResponseWriter, r *http.Request, operation *identityWriteOperation, status int, payload any, version int64, auditID string) {
body, _ := json.Marshal(payload)
stored, _ := json.Marshal(storedIdentityResponse{Status: status, Body: body, ETag: identityETag(version), AuditID: auditID})
if s.store != nil {
if err := s.store.RecordIdentityManagementRequest(r.Context(), store.IdentityManagementRequest{
Operation: operation.operation, Key: operation.key, RequestHash: operation.requestHash, Response: stored,
}); err != nil && s.logger != nil {
s.logger.ErrorContext(r.Context(), "identity idempotency response could not be recorded", "operation", operation.operation, "error_category", "idempotency_store_failed")
}
}
operation.close()
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("ETag", identityETag(version))
if auditID != "" {
w.Header().Set("X-Audit-Id", auditID)
}
writeJSON(w, status, payload)
}
func requiredIdentityVersion(w http.ResponseWriter, r *http.Request) (int64, bool) {
value := strings.Trim(strings.TrimPrefix(strings.TrimSpace(r.Header.Get("If-Match")), "W/"), `"`)
version, err := strconv.ParseInt(value, 10, 64)
if err != nil || version < 0 {
writeError(w, http.StatusPreconditionRequired, "If-Match is required", "IF_MATCH_REQUIRED")
return 0, false
}
return version, true
}
func identityETag(version int64) string { return fmt.Sprintf(`W/"%d"`, version) }
func applyIdentityPolicyPatch(policy *identity.RevisionPolicy, patch identityPolicyPatch) {
if patch.LocalTenantKey != nil {
policy.LocalTenantKey = strings.TrimSpace(*patch.LocalTenantKey)
}
if patch.RolePrefix != nil {
policy.RolePrefix = strings.TrimSpace(*patch.RolePrefix)
}
if patch.JITEnabled != nil {
policy.JITEnabled = *patch.JITEnabled
}
if patch.LegacyJWTEnabled != nil {
policy.LegacyJWTEnabled = *patch.LegacyJWTEnabled
}
if patch.SessionIdleSeconds != nil {
policy.SessionIdleSeconds = *patch.SessionIdleSeconds
}
if patch.SessionAbsoluteSeconds != nil {
policy.SessionAbsoluteSeconds = *patch.SessionAbsoluteSeconds
}
if patch.SessionRefreshSeconds != nil {
policy.SessionRefreshSeconds = *patch.SessionRefreshSeconds
}
}
func firstIdentityError(actual, fallback error) error {
if actual != nil {
return actual
}
return fallback
}
func ensureIdentityTraceID(w http.ResponseWriter, r *http.Request) string {
return ensureSecurityEventTraceID(w, r)
}
func (s *Server) writeIdentityError(w http.ResponseWriter, r *http.Request, action, targetID, traceID string, err error) {
status, message, code := identityErrorProjection(err)
s.recordIdentityConfigurationAudit(r, action, targetID, "failure", traceID, code)
writeError(w, status, message, code)
}
func identityErrorProjection(err error) (int, string, string) {
switch {
case errors.Is(err, identity.ErrRevisionNotFound):
return http.StatusNotFound, "统一认证配置不存在", "IDENTITY_CONFIGURATION_NOT_FOUND"
case errors.Is(err, identity.ErrRevisionConflict):
return http.StatusPreconditionFailed, "统一认证配置版本或状态已变化", "IDENTITY_VERSION_CONFLICT"
case errors.Is(err, identity.ErrBreakGlassRequired):
return http.StatusConflict, "请先保留至少一个可用的本地应急管理员凭据", "BREAK_GLASS_MANAGER_REQUIRED"
case errors.Is(err, identity.ErrLocalTenantInvalid):
return http.StatusConflict, "本地租户映射无效", "IDENTITY_LOCAL_TENANT_INVALID"
case err != nil && (strings.Contains(err.Error(), "invalid") || strings.Contains(err.Error(), "required")):
return http.StatusBadRequest, "统一认证配置无效", "IDENTITY_CONFIGURATION_INVALID"
default:
return http.StatusBadGateway, "认证中心或统一认证服务暂时不可用", "IDENTITY_SERVICE_UNAVAILABLE"
}
}
func (s *Server) recordIdentityConfigurationAudit(r *http.Request, action, targetID, outcome, traceID, errorCategory string) string {
if s.store == nil {
return ""
}
actor, _ := auth.UserFromContext(r.Context())
input := store.AuditLogInput{
Category: "identity", Action: "identity." + action, TargetType: "identity_configuration_revision",
TargetID: firstNonEmptyText(targetID, "pending"), RequestIP: limitAuditText(requestIP(r), 128),
UserAgent: limitAuditText(r.UserAgent(), 512), Metadata: map[string]any{
"outcome": outcome, "traceId": traceID, "errorCategory": errorCategory,
},
}
if actor != nil {
input.ActorGatewayUserID = uuidText(firstNonEmptyText(actor.GatewayUserID, actor.ID))
input.ActorUserID, input.ActorUsername, input.ActorSource, input.ActorRoles = actor.ID, actor.Username, actor.Source, actor.Roles
}
audit, err := s.store.RecordAuditLog(r.Context(), input)
if err != nil {
if s.logger != nil {
s.logger.WarnContext(r.Context(), "record identity audit failed", "action", action, "error_category", "audit_store_failed", "trace_id", traceID)
}
return ""
}
return audit.ID
}
func (s *Server) startIdentityPairingWorker(pairingID string) {
if _, loaded := s.identityPairingWorkers.LoadOrStore(pairingID, struct{}{}); loaded {
return
}
go func() {
defer s.identityPairingWorkers.Delete(pairingID)
delay := time.Second
for {
pairing, err := s.identityPairing.Continue(s.ctx, pairingID)
if err == nil {
if pairing.Status == identity.PairingCompleted || pairing.Status == identity.PairingFailed || pairing.Status == identity.PairingExpired {
return
}
delay = time.Second
} else {
if s.logger != nil {
s.logger.Warn("identity pairing step failed and will retry", "pairing_id", pairingID, "error_category", "pairing_step_failed")
}
if delay < 15*time.Second {
delay *= 2
}
}
select {
case <-s.ctx.Done():
return
case <-time.After(delay):
}
}
}()
}

View File

@ -0,0 +1,33 @@
package httpapi
import (
"net/http"
"net/http/httptest"
"testing"
)
func TestRequiredIdentityWriteHeaders(t *testing.T) {
request := httptest.NewRequest(http.MethodPost, "/identity", nil)
recorder := httptest.NewRecorder()
if _, ok := requiredIdentityVersion(recorder, request); ok || recorder.Code != http.StatusPreconditionRequired {
t.Fatalf("missing If-Match status=%d", recorder.Code)
}
request.Header.Set("If-Match", `W/"7"`)
recorder = httptest.NewRecorder()
version, ok := requiredIdentityVersion(recorder, request)
if !ok || version != 7 {
t.Fatalf("weak ETag version=%d ok=%v", version, ok)
}
}
func TestIdentityErrorProjectionProtectsInternalDetails(t *testing.T) {
status, message, code := identityErrorProjection(assertionError("upstream response contained secret-token"))
if status != http.StatusBadGateway || code != "IDENTITY_SERVICE_UNAVAILABLE" || message == "upstream response contained secret-token" {
t.Fatalf("unsafe error projection status=%d code=%q message=%q", status, code, message)
}
}
type assertionError string
func (err assertionError) Error() string { return string(err) }

View File

@ -20,21 +20,23 @@ import (
)
type Server struct {
ctx context.Context
cfg config.Config
store *store.Store
oidcUserResolver oidcUserResolver
auth *auth.Authenticator
oidcClient oidcPublicClient
oidcSessions oidcSessionManager
oidcSessionCipher *oidcsession.Cipher
runner *runner.Service
logger *slog.Logger
geminiUploadSessions sync.Map
securityEventReceiver http.Handler
securityEventManager *ssfreceiver.ConnectionManager
identityRuntime *identityruntime.Manager
identityPairing *identity.PairingService
ctx context.Context
cfg config.Config
store *store.Store
oidcUserResolver oidcUserResolver
auth *auth.Authenticator
oidcClient oidcPublicClient
oidcSessions oidcSessionManager
oidcSessionCipher *oidcsession.Cipher
runner *runner.Service
logger *slog.Logger
geminiUploadSessions sync.Map
securityEventReceiver http.Handler
securityEventManager *ssfreceiver.ConnectionManager
identityRuntime *identityruntime.Manager
identityPairing *identity.PairingService
identityManagementMu sync.Mutex
identityPairingWorkers sync.Map
}
type oidcPublicClient interface {
@ -77,8 +79,8 @@ func NewServerWithContext(ctx context.Context, cfg config.Config, db *store.Stor
runtimeBuilder := identityruntime.NewRuntimeBuilder(ctx, db, secretStore, identityruntime.RuntimeBuilderConfig{
AppEnv: cfg.AppEnv, JWKSCacheTTL: 5 * time.Minute,
HeartbeatInterval: time.Duration(cfg.OIDCSecurityEventsHeartbeatIntervalSeconds) * time.Second,
StaleAfter: time.Duration(cfg.OIDCSecurityEventsStaleAfterSeconds) * time.Second,
ClockSkew: time.Duration(cfg.OIDCSecurityEventsClockSkewSeconds) * time.Second,
StaleAfter: time.Duration(cfg.OIDCSecurityEventsStaleAfterSeconds) * time.Second,
ClockSkew: time.Duration(cfg.OIDCSecurityEventsClockSkewSeconds) * time.Second,
}, securityEventMetrics)
server.identityRuntime = identityruntime.NewManager(db, runtimeBuilder)
if err := server.identityRuntime.LoadActive(ctx); err != nil && logger != nil {
@ -87,6 +89,13 @@ func NewServerWithContext(ctx context.Context, cfg config.Config, db *store.Stor
server.identityPairing = identity.NewPairingService(db, secretStore, func(baseURL string) (identity.OnboardingRemote, error) {
return identity.NewOnboardingClient(baseURL, nil)
}, server.identityRuntime)
if pending, pendingErr := db.PendingIdentityPairingExchanges(ctx); pendingErr == nil {
for _, pairing := range pending {
server.startIdentityPairingWorker(pairing.ID)
}
} else if logger != nil {
logger.Warn("pending identity pairings could not be resumed", "error_category", "pairing_resume_failed")
}
server.auth.OIDCVerifierProvider = func() *auth.OIDCVerifier {
if runtime := server.identityRuntime.Current(); runtime != nil {
return runtime.Verifier
@ -124,6 +133,7 @@ func NewServerWithContext(ctx context.Context, cfg config.Config, db *store.Stor
mux.HandleFunc("GET /api/v1/auth/oidc/callback", server.completeOIDCLogin)
mux.HandleFunc("POST /api/v1/auth/oidc/logout", server.logoutOIDCSession)
mux.HandleFunc("DELETE /api/v1/auth/oidc/session", server.deleteOIDCBrowserSession)
mux.HandleFunc("GET /api/v1/public/identity", server.getPublicIdentityConfiguration)
mux.HandleFunc("POST /api/v1/security-events/ssf", server.receiveSecurityEvent)
mux.Handle("GET /api/v1/me", server.requireUser(auth.PermissionBasic, http.HandlerFunc(server.me)))
mux.Handle("GET /api/v1/public/catalog/providers", server.auth.Require(auth.PermissionPublic, http.HandlerFunc(server.listCatalogProviders)))
@ -194,6 +204,14 @@ func NewServerWithContext(ctx context.Context, cfg config.Config, db *store.Stor
mux.Handle("PATCH /api/admin/system/file-storage/settings", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.updateFileStorageSettings)))
mux.Handle("GET /api/admin/system/client-customization/settings", server.requireAdmin(auth.PermissionPower, http.HandlerFunc(server.getClientCustomizationSettings)))
mux.Handle("PATCH /api/admin/system/client-customization/settings", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.updateClientCustomizationSettings)))
mux.Handle("GET /api/admin/system/identity/configuration", server.requireAdmin(auth.PermissionPower, http.HandlerFunc(server.getIdentityConfiguration)))
mux.Handle("POST /api/admin/system/identity/pairings", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.startIdentityPairing)))
mux.Handle("GET /api/admin/system/identity/pairings/{pairingID}", server.requireAdmin(auth.PermissionPower, http.HandlerFunc(server.getIdentityPairing)))
mux.Handle("PATCH /api/admin/system/identity/revisions/{revisionID}", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.updateIdentityDraftPolicy)))
mux.Handle("POST /api/admin/system/identity/revisions/{revisionID}/validate", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.validateIdentityRevision)))
mux.Handle("POST /api/admin/system/identity/revisions/{revisionID}/activate", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.activateIdentityRevision)))
mux.Handle("POST /api/admin/system/identity/revisions/{revisionID}/rollback", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.rollbackIdentityRevision)))
mux.Handle("POST /api/admin/system/identity/disable", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.disableIdentityConfiguration)))
mux.Handle("GET /api/admin/system/identity/security-events/connection", server.requireAdmin(auth.PermissionPower, http.HandlerFunc(server.getSecurityEventConnection)))
mux.Handle("PUT /api/admin/system/identity/security-events/connection", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.putSecurityEventConnection)))
mux.Handle("POST /api/admin/system/identity/security-events/connection/verify", server.requireAdmin(auth.PermissionManager, http.HandlerFunc(server.verifySecurityEventConnection)))

View File

@ -17,6 +17,27 @@ var (
ErrLocalTenantInvalid = errors.New("local tenant mapping is invalid")
)
type RevisionPolicy struct {
LocalTenantKey string `json:"localTenantKey"`
RolePrefix string `json:"rolePrefix"`
JITEnabled bool `json:"jitEnabled"`
LegacyJWTEnabled bool `json:"legacyJwtEnabled"`
SessionIdleSeconds int `json:"sessionIdleSeconds"`
SessionAbsoluteSeconds int `json:"sessionAbsoluteSeconds"`
SessionRefreshSeconds int `json:"sessionRefreshSeconds"`
}
func (policy RevisionPolicy) Validate() error {
if strings.TrimSpace(policy.LocalTenantKey) == "" || strings.TrimSpace(policy.RolePrefix) == "" {
return errors.New("local tenant mapping and role prefix are required")
}
if policy.SessionIdleSeconds <= 0 || policy.SessionAbsoluteSeconds <= policy.SessionIdleSeconds ||
policy.SessionRefreshSeconds <= 0 || policy.SessionRefreshSeconds >= policy.SessionIdleSeconds {
return errors.New("identity session policy is invalid")
}
return nil
}
type RevisionState string
const (

View File

@ -129,6 +129,15 @@ func (service *PairingService) Continue(ctx context.Context, pairingID string) (
if pairing.Status == PairingCompleted || pairing.Status == PairingFailed || pairing.Status == PairingExpired {
return pairing, nil
}
if !pairing.ExpiresAt.After(time.Now()) {
expired, updateErr := service.repository.UpdateIdentityPairingExchange(ctx, pairing.ID, pairing.Version, PairingExchangeUpdate{
Status: PairingExpired, RemoteVersion: pairing.RemoteVersion, LastErrorCategory: "exchange_expired",
})
if updateErr == nil {
_ = service.secrets.Delete(ctx, pairing.ExchangeTokenRef)
}
return expired, updateErr
}
revision, err := service.repository.IdentityConfigurationRevision(ctx, pairing.RevisionID)
if err != nil {
return PairingExchange{}, err

View File

@ -154,3 +154,26 @@ func TestPairingRetriesWithRotatedCredentialAfterSecretStoreFailure(t *testing.T
t.Fatalf("revision did not retain SecretStore references: %#v", repository.revision)
}
}
func TestPairingExpirationIsPersistedAndExchangeTokenIsDestroyed(t *testing.T) {
repository := &pairingRepositoryFake{exchange: PairingExchange{
ID: "pairing", RevisionID: "revision", ExchangeTokenRef: "identity-exchange-pairing",
Status: PairingPreparing, RemoteVersion: 2, ExpiresAt: time.Now().Add(-time.Minute), Version: 4,
}}
secrets := &secretStoreFake{values: map[string][]byte{"identity-exchange-pairing": []byte("temporary-token")}}
service := NewPairingService(repository, secrets, func(string) (OnboardingRemote, error) {
t.Fatal("expired exchange must not call the remote service")
return nil, nil
}, nil)
expired, err := service.Continue(context.Background(), "pairing")
if err != nil {
t.Fatal(err)
}
if expired.Status != PairingExpired || expired.LastErrorCategory != "exchange_expired" {
t.Fatalf("expired pairing was not persisted: %#v", expired)
}
if _, exists := secrets.values["identity-exchange-pairing"]; exists {
t.Fatal("expired exchange token remained in SecretStore")
}
}

View File

@ -18,8 +18,8 @@ type Repository interface {
ActiveIdentityConfigurationRevision(context.Context) (identity.Revision, error)
MarkIdentityRevisionValidated(context.Context, string, int64, string, string) (identity.Revision, error)
MarkIdentityRevisionFailed(context.Context, string, int64, string, string, string) (identity.Revision, error)
ActivateIdentityRevision(context.Context, string, int64) (identity.Revision, bool, error)
DisableActiveIdentityRevision(context.Context, int64) (identity.Revision, error)
ActivateIdentityRevision(context.Context, string, int64, string, string) (identity.Revision, bool, error)
DisableActiveIdentityRevision(context.Context, int64, string, string) (identity.Revision, error)
}
type Builder interface {
@ -96,7 +96,7 @@ func (manager *Manager) Validate(ctx context.Context, id string, expectedVersion
return manager.repository.MarkIdentityRevisionValidated(ctx, id, expectedVersion, traceID, auditID)
}
func (manager *Manager) Activate(ctx context.Context, id string, expectedVersion int64) (identity.Revision, error) {
func (manager *Manager) Activate(ctx context.Context, id string, expectedVersion int64, traceID, auditID string) (identity.Revision, error) {
manager.operation.Lock()
defer manager.operation.Unlock()
revision, err := manager.repository.IdentityConfigurationRevision(ctx, id)
@ -110,7 +110,7 @@ func (manager *Manager) Activate(ctx context.Context, id string, expectedVersion
if err != nil {
return identity.Revision{}, err
}
activated, _, err := manager.repository.ActivateIdentityRevision(ctx, id, expectedVersion)
activated, _, err := manager.repository.ActivateIdentityRevision(ctx, id, expectedVersion, traceID, auditID)
if err != nil {
candidate.Close()
return identity.Revision{}, err
@ -121,10 +121,40 @@ func (manager *Manager) Activate(ctx context.Context, id string, expectedVersion
return activated, nil
}
func (manager *Manager) Disable(ctx context.Context, expectedVersion int64) (identity.Revision, error) {
func (manager *Manager) Rollback(ctx context.Context, id string, expectedVersion int64, traceID, auditID string) (identity.Revision, error) {
manager.operation.Lock()
defer manager.operation.Unlock()
disabled, err := manager.repository.DisableActiveIdentityRevision(ctx, expectedVersion)
revision, err := manager.repository.IdentityConfigurationRevision(ctx, id)
if err != nil {
return identity.Revision{}, err
}
if revision.Version != expectedVersion || revision.State != identity.RevisionSuperseded {
return identity.Revision{}, identity.ErrRevisionConflict
}
candidate, err := manager.builder.Build(ctx, revision)
if err != nil {
return identity.Revision{}, err
}
validated, err := manager.repository.MarkIdentityRevisionValidated(ctx, id, expectedVersion, traceID, auditID)
if err != nil {
candidate.Close()
return identity.Revision{}, err
}
activated, _, err := manager.repository.ActivateIdentityRevision(ctx, id, validated.Version, traceID, auditID)
if err != nil {
candidate.Close()
return identity.Revision{}, err
}
candidate.Revision = activated
old := manager.current.Swap(candidate)
retireRuntime(old)
return activated, nil
}
func (manager *Manager) Disable(ctx context.Context, expectedVersion int64, traceID, auditID string) (identity.Revision, error) {
manager.operation.Lock()
defer manager.operation.Unlock()
disabled, err := manager.repository.DisableActiveIdentityRevision(ctx, expectedVersion, traceID, auditID)
if err != nil {
return identity.Revision{}, err
}

View File

@ -45,7 +45,7 @@ func (f *runtimeRepositoryFake) MarkIdentityRevisionFailed(_ context.Context, id
f.revisions[id] = revision
return revision, nil
}
func (f *runtimeRepositoryFake) ActivateIdentityRevision(_ context.Context, id string, expected int64) (identity.Revision, bool, error) {
func (f *runtimeRepositoryFake) ActivateIdentityRevision(_ context.Context, id string, expected int64, traceID, auditID string) (identity.Revision, bool, error) {
f.activateCalled = true
revision := f.revisions[id]
if revision.Version != expected || revision.State != identity.RevisionValidated {
@ -56,16 +56,16 @@ func (f *runtimeRepositoryFake) ActivateIdentityRevision(_ context.Context, id s
old.State = identity.RevisionSuperseded
f.revisions[old.ID] = old
}
revision.State, revision.Version = identity.RevisionActive, revision.Version+1
revision.State, revision.Version, revision.LastTraceID, revision.LastAuditID = identity.RevisionActive, revision.Version+1, traceID, auditID
f.active, f.revisions[id] = revision, revision
return revision, true, nil
}
func (f *runtimeRepositoryFake) DisableActiveIdentityRevision(_ context.Context, expected int64) (identity.Revision, error) {
func (f *runtimeRepositoryFake) DisableActiveIdentityRevision(_ context.Context, expected int64, traceID, auditID string) (identity.Revision, error) {
if f.active.Version != expected {
return identity.Revision{}, identity.ErrRevisionConflict
}
disabled := f.active
disabled.State, disabled.Version = identity.RevisionSuperseded, disabled.Version+1
disabled.State, disabled.Version, disabled.LastTraceID, disabled.LastAuditID = identity.RevisionSuperseded, disabled.Version+1, traceID, auditID
f.revisions[disabled.ID] = disabled
f.active = identity.Revision{}
return disabled, nil
@ -110,7 +110,7 @@ func TestActivationSwapsRuntimeOnlyAfterRepositoryActivation(t *testing.T) {
manager := NewManager(repository, &runtimeBuilderFake{})
manager.current.Store(&Runtime{Revision: active})
activated, err := manager.Activate(context.Background(), candidate.ID, candidate.Version)
activated, err := manager.Activate(context.Background(), candidate.ID, candidate.Version, "trace", "audit")
if err != nil {
t.Fatal(err)
}
@ -118,3 +118,21 @@ func TestActivationSwapsRuntimeOnlyAfterRepositoryActivation(t *testing.T) {
t.Fatalf("activation order failed: activated=%#v current=%#v", activated, manager.Current())
}
}
func TestRollbackValidatesAndAtomicallyReplacesActiveRuntime(t *testing.T) {
active := identity.Revision{ID: "current", State: identity.RevisionActive, Version: 5}
previous := identity.Revision{ID: "previous", State: identity.RevisionSuperseded, Version: 3}
repository := &runtimeRepositoryFake{
revisions: map[string]identity.Revision{"current": active, "previous": previous}, active: active,
}
manager := NewManager(repository, &runtimeBuilderFake{})
manager.current.Store(&Runtime{Revision: active})
rolledBack, err := manager.Rollback(context.Background(), previous.ID, previous.Version, "trace", "audit")
if err != nil {
t.Fatal(err)
}
if rolledBack.State != identity.RevisionActive || manager.Current().Revision.ID != previous.ID || repository.active.ID != previous.ID {
t.Fatalf("rollback did not replace active runtime: revision=%#v current=%#v", rolledBack, manager.Current())
}
}

View File

@ -4,11 +4,22 @@ import (
"context"
"encoding/json"
"errors"
"time"
"github.com/easyai/easyai-ai-gateway/apps/api/internal/identity"
"github.com/jackc/pgx/v5"
)
var ErrIdentityManagementRequestNotFound = errors.New("identity management request not found")
type IdentityManagementRequest struct {
Operation string
Key string
RequestHash string
Response []byte
CreatedAt time.Time
}
const identityRevisionColumns = `
id::text,state,schema_version,auth_center_url,COALESCE(issuer,''),COALESCE(tenant_id,''),COALESCE(application_id,''),
COALESCE(audience,''),COALESCE(browser_client_id,''),COALESCE(machine_client_id,''),scopes,capabilities,role_prefix,
@ -45,6 +56,57 @@ FROM gateway_identity_configuration_revisions WHERE state='active'`))
return revision, normalizeIdentityRevisionError(err)
}
func (s *Store) LatestInactiveIdentityConfigurationRevision(ctx context.Context) (identity.Revision, error) {
revision, err := scanIdentityRevision(s.pool.QueryRow(ctx, `SELECT `+identityRevisionColumns+`
FROM gateway_identity_configuration_revisions WHERE state IN ('draft','validated','failed') ORDER BY created_at DESC LIMIT 1`))
return revision, normalizeIdentityRevisionError(err)
}
func (s *Store) LatestSupersededIdentityConfigurationRevision(ctx context.Context) (identity.Revision, error) {
revision, err := scanIdentityRevision(s.pool.QueryRow(ctx, `SELECT `+identityRevisionColumns+`
FROM gateway_identity_configuration_revisions WHERE state='superseded' ORDER BY superseded_at DESC NULLS LAST LIMIT 1`))
return revision, normalizeIdentityRevisionError(err)
}
func (s *Store) UpdateIdentityRevisionPolicy(ctx context.Context, id string, expectedVersion int64, policy identity.RevisionPolicy) (identity.Revision, error) {
if err := policy.Validate(); err != nil {
return identity.Revision{}, err
}
revision, err := scanIdentityRevision(s.pool.QueryRow(ctx, `
UPDATE gateway_identity_configuration_revisions SET local_tenant_key=$3,role_prefix=$4,jit_enabled=$5,
legacy_jwt_enabled=$6,session_idle_seconds=$7,session_absolute_seconds=$8,session_refresh_seconds=$9,
version=version+1,updated_at=now()
WHERE id=$1::uuid AND version=$2 AND state='draft'
RETURNING `+identityRevisionColumns, id, expectedVersion, policy.LocalTenantKey, policy.RolePrefix, policy.JITEnabled,
policy.LegacyJWTEnabled, policy.SessionIdleSeconds, policy.SessionAbsoluteSeconds, policy.SessionRefreshSeconds))
if errors.Is(err, pgx.ErrNoRows) {
return identity.Revision{}, identity.ErrRevisionConflict
}
return revision, err
}
func (s *Store) IdentityManagementRequest(ctx context.Context, operation, key string) (IdentityManagementRequest, error) {
var request IdentityManagementRequest
err := s.pool.QueryRow(ctx, `SELECT operation,idempotency_key,request_hash,response,created_at
FROM gateway_identity_management_requests WHERE operation=$1 AND idempotency_key=$2`, operation, key).Scan(
&request.Operation, &request.Key, &request.RequestHash, &request.Response, &request.CreatedAt,
)
if errors.Is(err, pgx.ErrNoRows) {
return IdentityManagementRequest{}, ErrIdentityManagementRequestNotFound
}
return request, err
}
func (s *Store) RecordIdentityManagementRequest(ctx context.Context, request IdentityManagementRequest) error {
if !json.Valid(request.Response) {
return errors.New("identity management response is invalid")
}
_, err := s.pool.Exec(ctx, `INSERT INTO gateway_identity_management_requests(operation,idempotency_key,request_hash,response)
VALUES($1,$2,$3,$4::jsonb) ON CONFLICT(operation,idempotency_key) DO NOTHING`,
request.Operation, request.Key, request.RequestHash, request.Response)
return err
}
func (s *Store) ApplyIdentityManifest(ctx context.Context, id string, expectedVersion int64, applied identity.ManifestApplication) (identity.Revision, error) {
current, err := s.IdentityConfigurationRevision(ctx, id)
if err != nil {
@ -103,7 +165,7 @@ RETURNING `+identityRevisionColumns, id, expectedVersion, category, traceID, aud
return revision, err
}
func (s *Store) ActivateIdentityRevision(ctx context.Context, id string, expectedVersion int64) (identity.Revision, bool, error) {
func (s *Store) ActivateIdentityRevision(ctx context.Context, id string, expectedVersion int64, traceID, auditID string) (identity.Revision, bool, error) {
tx, err := s.pool.BeginTx(ctx, pgx.TxOptions{IsoLevel: pgx.Serializable})
if err != nil {
return identity.Revision{}, false, err
@ -143,8 +205,8 @@ version=version+1,updated_at=now() WHERE id=$1::uuid AND state='active'`, previo
}
}
revision, err := scanIdentityRevision(tx.QueryRow(ctx, `UPDATE gateway_identity_configuration_revisions SET state='active',
activated_at=now(),superseded_at=NULL,version=version+1,updated_at=now() WHERE id=$1::uuid AND version=$2 AND state='validated'
RETURNING `+identityRevisionColumns, id, expectedVersion))
activated_at=now(),superseded_at=NULL,last_trace_id=NULLIF($3,''),last_audit_id=NULLIF($4,''),version=version+1,updated_at=now()
WHERE id=$1::uuid AND version=$2 AND state='validated' RETURNING `+identityRevisionColumns, id, expectedVersion, traceID, auditID))
if err != nil {
return identity.Revision{}, false, err
}
@ -160,7 +222,7 @@ RETURNING `+identityRevisionColumns, id, expectedVersion))
return revision, identityChanged, nil
}
func (s *Store) DisableActiveIdentityRevision(ctx context.Context, expectedVersion int64) (identity.Revision, error) {
func (s *Store) DisableActiveIdentityRevision(ctx context.Context, expectedVersion int64, traceID, auditID string) (identity.Revision, error) {
tx, err := s.pool.BeginTx(ctx, pgx.TxOptions{IsoLevel: pgx.Serializable})
if err != nil {
return identity.Revision{}, err
@ -172,7 +234,8 @@ func (s *Store) DisableActiveIdentityRevision(ctx context.Context, expectedVersi
return identity.Revision{}, identity.ErrBreakGlassRequired
}
revision, err := scanIdentityRevision(tx.QueryRow(ctx, `UPDATE gateway_identity_configuration_revisions SET state='superseded',
superseded_at=now(),version=version+1,updated_at=now() WHERE state='active' AND version=$1 RETURNING `+identityRevisionColumns, expectedVersion))
superseded_at=now(),last_trace_id=NULLIF($2,''),last_audit_id=NULLIF($3,''),version=version+1,updated_at=now()
WHERE state='active' AND version=$1 RETURNING `+identityRevisionColumns, expectedVersion, traceID, auditID))
if errors.Is(err, pgx.ErrNoRows) {
return identity.Revision{}, identity.ErrRevisionConflict
}

View File

@ -32,6 +32,34 @@ FROM gateway_identity_onboarding_exchanges WHERE id=$1::uuid`, id))
return exchange, err
}
func (s *Store) IdentityPairingExchangeForRevision(ctx context.Context, revisionID string) (identity.PairingExchange, error) {
exchange, err := scanIdentityPairing(s.pool.QueryRow(ctx, `SELECT `+identityPairingColumns+`
FROM gateway_identity_onboarding_exchanges WHERE revision_id=$1::uuid`, revisionID))
if errors.Is(err, pgx.ErrNoRows) {
return identity.PairingExchange{}, identity.ErrRevisionNotFound
}
return exchange, err
}
func (s *Store) PendingIdentityPairingExchanges(ctx context.Context) ([]identity.PairingExchange, error) {
rows, err := s.pool.Query(ctx, `SELECT `+identityPairingColumns+`
FROM gateway_identity_onboarding_exchanges
WHERE status IN ('metadata_pending','preparing','ready','credentials_saved') ORDER BY created_at`)
if err != nil {
return nil, err
}
defer rows.Close()
exchanges := make([]identity.PairingExchange, 0)
for rows.Next() {
exchange, scanErr := scanIdentityPairing(rows)
if scanErr != nil {
return nil, scanErr
}
exchanges = append(exchanges, exchange)
}
return exchanges, rows.Err()
}
func (s *Store) UpdateIdentityPairingExchange(ctx context.Context, id string, expectedVersion int64, update identity.PairingExchangeUpdate) (identity.PairingExchange, error) {
exchange, err := scanIdentityPairing(s.pool.QueryRow(ctx, `
UPDATE gateway_identity_onboarding_exchanges SET status=$3,remote_version=$4,last_error_category=NULLIF($5,''),